On Thu January 1 2009, Victor Duchovni wrote: > On Thu, Jan 01, 2009 at 06:26:49PM -0800, David Schwartz wrote: > > > > > Edward Diener wrote: > > > > > > 1) You need someone to confirm that having a client use a > > > > known-compromised > > > > private key to authenticate over SSL is no worse than the > > > > client using no > > > > key at all. It seems to me like you'd almost have to try to make this a > > > > problem, but who knows -- maybe it's never been thought about. > > > > > Whether a client private key is used or no client key at all, there is > > > still the issue of figuring out the username/password. > > > > No, there isn't. If using a known-compromised client key compromises the SSL > > connection, then an attacker can get a username/password simply by reading > > it out of a compromised SSL connection. > > No such compromise happens, so this is not relevant. Compromised client > keys don't compromise SSL provided the server key is secured and the > server does not rely on client certificates for client authentication. >
Which, by one of his recent posts, is where Edward Diener is at now - He went off to re-examine the "GRANT" statements and options in the server side of his application. The confusion seems to be based in the MySQL reference manual example of setting up secure communications. It does not specify which parts of the example are required and which are optional depending on "GRANT" settings. Just as one could reasonably suspect, MySQL is perfectly capable of using a SSL secured communications link and leaving the client authentication to something other than a client side certificate. It is just that stinking example in the reference manual that makes MySQL users think otherwise. ;) Mike OT: I wonder how many other products have "now aim at your foot" directions? > > On another note, something still seems fundamentally wrong with your > > approach. Since every customer has a username/password, and you don't trust > > your customers, you still cannot allow someone to mess with an arbitrary > > data just because he has a valid username/password. > > We've hashed this part out already, let's not go there again. > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
